go to  ForumEasy.com   
LdapPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  Run #1 Search Operation
 
Subject: Run #1 Search Operation
Author: aci
In response to: Step-by-step guide to set-up proxy authorization:
Posted on: 03/21/2014 12:48:02 AM

C:\>ldapsearch -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com"
 -w secret -b "dc=example,dc=com" "(uid=user.3)"

Nothing to return, because no aci was set to allow users from Support department to do search or read.

C:\>ldapsearch -h localhost -p 389 -D "uid=user.1,ou=Develop,dc=example,dc=com"
 -w secret -b "dc=example,dc=com" "(uid=user.3)"

dn: uid=user.3,ou=Sales,dc=example,dc=com
dn: uid=user.3,ou=Support,dc=example,dc=com
dn: uid=user.3,ou=Develop,dc=example,dc=com

Search with user from Develop department returns all (3) user accounts which have uid matching the value of 'user.3'.

C:\>ldapsearch -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com" -w secret -Y
 "dn:uid=user.2,ou=Develop,dc=example,dc=com" 
  -b "dc=example,dc=com" "(uid=user.3)"

dn: uid=user.3,ou=Sales,dc=example,dc=com

Same search with the same user from Support but using proxy right of another user from Develop department returns one result. This is because the proxy rule has narrowed the target to Sales department via proxy.


 

> On 03/21/2014 12:21:58 AM aci wrote:
Step 1) Specify who can use Proxy Authorization Control {2.16.840.1.113730.3.4.18}
    aci: (targetcontrol="2.16.840.1.113730.3.4.18 || 1.2.840.113556.1.4.319") 
         (version 3.0; acl "Authenticated users control access"; 
         allow (read) userdn="ldap:///all";)

Here, all authenticated users can use controls.

Step 2) Specify who have the privilege to act as proxy

The privilege setting depends on what server you are using.

Step 3) Specify who can act as proxy and on what target
   aci: (target="ldap:///ou=Sales,dc=example,dc=com")(targetattr="*")
        (version 3.0; acl "Who can use proxy on what"; 
        allow (proxy) userdn="ldap:///uid=*,ou=Support,dc=example,dc=com";)


Step 4) Specify the proxied user's right
   aci: (target="ldap:///dc=example,dc=com")(targetattr="*")
        (version 3.0; acl "Developers can access all departments"; 
        allow (all) userdn="ldap:///uid=*,ou=Develop,dc=example,dc=com";)




References:

 


 
Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
 
Get your own forum today. It's easy and free.